Several methods exist for updating patches: using a Microsoft tool such as Group Policy or Microsoft Systems Management Server (SMS), using a third-party tool, and manually repairing machines. When workstations require patches, users typically can't install them themselves—for security reasons, most users don't have local machine administrator rights.

However, users can often update their own patches. You need to create a global security group in Active Directory's (AD's) OU group (I call my security group patches_installer), then add the global group to every workstation's local administrator group. This action makes every Windows NT user ID in the patches_installer global group a local machine administrator. To automatically add this global group to the local machine administrator group, run a batch file that contains the following line:

net localgroup administrators
   "domain\patches_installer" /ADD

For security, keep the global group empty (i.e., don't add any user IDs to the group) so that users don't become machine local administrators by default.

When you need to patch a hotfix, add domain\domain users or an individual user ID to the patches_installer global group; use the OU group to centrally control the global group. Tell users to log off and log on again. Users will then have local machine administrator permissions to install patches.

After the patches are updated, remove all members from the patches_installer global group. Users will lose administrator rights after restarting their PC.